News and Events

Menu CTA Company

THUNDER ® TPS

The World’s Most Powerful DDoS Protection Solution

Search form

Virtual Application Patch CVE-2017-9805

Updated: September 15, 2017
Revision: 001

Problem:

The REST Plugin in Apache Struts versions 2.1.2 through 2.3.x (before 2.3.34) and 2.5.x (before 2.5.13) uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering. This can cause Remote Code Execution when deserializing XML payloads. Source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805

Background:

CVE-2017-9805 was utilized to exploit Equifax and has revealed pre-existing utilization of this exploit in the wild. Customers whose application environment utilizes these affected versions of Apache Struts without any type filtering should patch immediately. As an interim stop gap measure, customers should utilize the recommended aFlex in order to mitigate the risk to their infrastructure.

Exploit Testing Script

Optimization of aFlex

An application may utilize the same framework, but it might differ in behavior due to variances in logic. Through the optimization of aFlex you can ensure the least amount of time is spent evaluating the request. This can be achieved by the following methods, but it is not limited to them:

Disclaimer: The recommendations provided in this document is derived from multiple data sources and can only protect against known variants that are currently disclosed and is for generalized cases. Functional testing has been performed but there is no claim made on performance. Each application is different and A10 SERT can assist with in-depth analysis for special cases. If additional analysis is required, please contact A10 Technical Support to have your case escalated to the A10 SERT team